Re: Gaping hole in NAI PGP

Fri, 25 Aug 2000 17:08:34 -0700 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Curtis,

On 26 August 2000 at 18:49:48 GMT -0500 (which was 00:49 where I
live) [EMAIL PROTECTED] wrote and made these points on the subject
of "Gaping hole in NAI PGP":

MDP>> I  don't  think  anyone's  had  time to doctor my keys in the 36
MDP>> hours the loophole's been public knowledge ;-).

ACM> I got the impression that the hole is created with the key
ACM> generation and that to eliminate the potential problem we'd have
ACM> to upgrade as well as generate new keys.

The  hole is that anyone can add an ADK (Additional Decryption Key) to
a  key  and  then  upload  that  key to a server thus compromising the
security  of  that  key.  When  that  key  is  downloaded and used for
encryption,  if  the ADK is inadvertently used then the individual who
compromised the key will be able to decrypt the message too.

We  would  only  need to generate new keys if any of our keys had been
compromised  in this way. IMHO there have never been any deliberate or
malicious  exploits  of  this hole. It was discovered and proved as an
academic  exercise  on  Thursday afternoon. Here we are on Friday with
the fixes already being posted.

- --
Cheers,
.\\arck

><    Marck D. Pearlstone | Moderator TBUDL / TBBETA              ><
>< PGP Key ID: 0x929DCDA0 | www: http://www.silverstones.com      ><
>< PGP Key: <mailto:[EMAIL PROTECTED]?Body=GET%20MARCKKEY> ><

 Kids Stuff:
While the earth seems to be knowingly keeping its
distance from the sun, it is really only centrificating.

><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
TB! v1.46 Beta/3 S/N 14F4B4B2 on Windows 98 4.10 Build 1998

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5i
Comment: PGP Signed so you know it's really me

iQA/AwUBOacK+jnkJKuSnc2gEQIrVwCfVovlXhd9RbpDM4HC40g/EzKfsgcAoJih
TxWgLFTaSPFQAZDv4WrZJ2em
=g8bP
-----END PGP SIGNATURE-----

-- 
--------------------------------------------------------------
View the TBUDL archive at http://tbudl.thebat.dutaint.com
To send a message to the list moderation team double click here:
   <mailto:[EMAIL PROTECTED]>
To Unsubscribe from TBUDL, double click here and send the message:
   <mailto:[EMAIL PROTECTED]>
--------------------------------------------------------------

You are subscribed as : [email protected]

Reply via email to